feat(fossa): add new FOSSA composite actions #519
Conversation
- Fix 'parallel' to 'sequential' workflow description - Fix double @@ to single @ in example usage
kalmarz
force-pushed
the
infra-gh-854-publish-sboms
branch
from
db3399a to
788d8f5
Compare
kalmarz
changed the title
There was a problem hiding this comment.
Pull Request Overview
This PR introduces new composite GitHub Actions for FOSSA integration, specifically adding functionality to wait for scan completion and create releases with report generation. These actions enable automated SBOM and attribution report publishing to FOSSA release groups.
- Adds a
wait-for-scanaction that polls FOSSA's revisions API to ensure scan completion before proceeding - Adds a
releaseaction that creates releases in separate groups and generates attribution/SBOM reports - Includes comprehensive documentation for both actions with usage examples and workflow integration
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| fossa/wait-for-scan/action.yml | Composite action that polls FOSSA API to wait for scan completion with configurable timeout and polling intervals |
| fossa/wait-for-scan/README.md | Documentation explaining the wait-for-scan action usage, implementation details, and workflow integration |
| fossa/release/action.yml | Composite action that creates FOSSA releases and generates attribution/SBOM reports to different release groups |
| fossa/release/README.md | Documentation for the release action covering inputs, supported formats, and error handling |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
fossa/release/README.md
Outdated
| | `sbom-release-group-id` | Release group ID for SBOM reports | Yes | - | | ||
| | `release-number` | Version number of the release to be created | Yes | - | | ||
| | `project-id` | Project ID (locator) | Yes | - | | ||
| | `branch` | Name of the branch | Yes | - | |
There was a problem hiding this comment.
should this be any branch or a release branch in particular?
There was a problem hiding this comment.
Updated the documentation to clarify.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
- Build locator consistently with wait-for-scan action - Use pre-constructed LOCATOR variable in JSON payload - Ensure proper $ escaping for literal dollar sign - Add debug output for locator construction Fixes reviewer feedback about inconsistent locator construction.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
2 participants
This PR adds a new composite action that can be used to publish SBOMs and attribution text to FOSSA release groups.
Related: https://github.com/camunda/team-infrastructure/issues/854